pendle.finance
Summary
Pendle Finance is a yield-trading protocol with roughly $1.15B TVL across 11 chains, tokenizing future yield into Principal Tokens (PT) and Yield Tokens (YT) traded on a custom AMM. It has operated since 2021 with no confirmed direct smart-contract exploit, supported by 15+ audits and $2.5M in active Cantina bug bounties. The main concerns are 45% unverified contracts, a 3-of-5 multisig that can upgrade core logic without timelock, and permissionless market creation that enabled the $27M Penpie ecosystem loss in September 2024. Overall risk is medium-high at 5.7/10.
Trust Assumptions
Users trust that the 3-of-5 governance multisig (0x8119…ee1) will not abuse immediate upgrade authority over ProxyAdmin, PendleRouterV4, and core factories. Depositors assume unverified bytecode for sPENDLE (~33M supply) and ProxyAdmin matches audited logic, that permissionless SY adapters and markets they interact with are sound, and that LayerZero cross-chain messaging delivers timely, accurate PT exchange rates. Integrators relying on Pendle's internal AMM TWAP oracles must trust those prices cannot be manipulated within observation windows.
What Could Go Wrong
A compromised 3-of-5 multisig could swap core contract implementations instantly via ProxyAdmin—no timelock—potentially affecting the full $1.15B TVL before users can react. A malicious or defective permissionless SY adapter could poison exchangeRate() pricing across markets and cross-chain oracles, repeating the Penpie pattern where a fake market enabled a $27M third-party loss. The Optimism PT OFT Adapter Factory is controlled by a single EOA (Core Deployer), so key compromise could reconfigure cross-chain PT bridging on that chain; combined with LayerZero latency and no Chainlink fallback, stale rates could cause mispriced liquidations on spoke chains.
Recommendation
Pendle is suitable for moderate capital allocation given its five-year track record, strong audit discipline, and demonstrated crisis response—the team paused all contracts within one hour during Penpie and reportedly protected $70–105M in downstream TVL. Actively monitor governance multisig transactions (especially ProxyAdmin upgrades and router facet remaps), verification status of the 18 unverified contracts, and any new permissionless markets or SY adapters before depositing. Consider reducing exposure if upgrade timelocks are not implemented, the Optimism EOA factory is not migrated to multisig control, or large vePENDLE unlocks (~64.6M PENDLE, 23% of supply) accelerate selling during the sPENDLE migration.
Key Findings (30)
Analysis Sections
Pendle is controlled by Gnosis Safe multisigs, not on-chain DAO voting. Ethereum mainnet governance is a 3-of-5 Safe (0x8119…ee1) that owns PENDLE, Router, ProxyAdmin, and several factories; a PendleGovernanceProxy (0x2aD6…f31e, same address on all chains) holds DEFAULT_ADMIN over MarketFactory, GaugeController, and LimitRouter per verified initialize() source. A separate 2-of-5 Dev Multisig (0xE6F0…cb1) owns PT OFT Adapter Factory and Arbitrum bridge factories. No timelock was found on upgrades. Cross-chain governance is asymmetric: Optimism uses a weaker 2-of-4 Safe while other chains use 3-of-5. LayerZero endpoint owners are LZ delegate contracts, not Pendle multisigs.
Findings (8)
On-chain verification found no TimelockController or delay mechanism on ProxyAdmin, PendleGovernanceProxy (UUPS), or core factory proxies. The 3-of-5 governance multisig can execute upgrades, parameter changes, and batched admin calls via PendleGovernanceProxy.aggregate() immediately. PENDLE token config changes have a 7-day delay, but contract upgrades do not.
Per-chain Gnosis Safe governance proxies use different signer sets and thresholds. Optimism governance Safe (0xa06C863fcf17cA6f24AA81aeA75E23953193fF6A) is 2-of-4, while Ethereum (0x8119…ee1), Arbitrum/Base (0x7877…75Ac), and BSC (0xA066…a9Ec) are 3-of-5 with overlapping signer sets. Optimism is the weakest governance link for chain-specific actions.
PT OFT Adapter Factory on Ethereum (0x905aF80C4DE82E0075a19fDE2f5777f1A6636732) and Arbitrum (0x4F215b3F8a6E056Ff293E6818F3f501B5F4787D7) report owner() as the Dev Multisig (0xE6F0489ED91dc27f40f9dbe8f81fccbFC16b9cb1), a 2-of-5 Safe — not the main 3-of-5 governance Safe. Cross-chain PT bridging configuration can be changed with a lower threshold than core protocol upgrades.
Pendle uses two control layers: (1) direct 3-of-5 multisig ownership of PENDLE token, PendleRouterV4, ProxyAdmin, SYFactory, YieldContractFactoryV6, and SenderEndpoint; (2) PendleGovernanceProxy (AccessControl + UUPS) as owner of MarketFactoryV6, GaugeController, and LimitRouter on all chains. Deployment config initializes GovernanceProxy with the main governance Safe as DEFAULT_ADMIN. This split increases the attack surface and operational complexity versus a single governance path.
LayerZero Endpoint contracts on Ethereum, Arbitrum, and Base report owner() as chain-specific LZ delegate contracts (~14KB bytecode, nonce 507 on Ethereum), not Pendle multisigs. Pendle cannot unilaterally upgrade or reconfigure the underlying LZ endpoint; cross-chain PT bridging depends on LayerZero infrastructure governance.
PendleGovernanceProxy defines a GUARDIAN role (AccessControl) with pause(address[]) capability on any IPPausingInterface contract. GUARDIAN or DEFAULT_ADMIN can invoke pause. This is an appropriate emergency lever but concentrates pause power in multisig-controlled roles without public timelock oversight.
The Core Deployer address (0x1FcCC097db89A86Bfc474A1028F93958295b1Fb7) has no contract code on Ethereum (EOA). It deployed PendleGovernanceProxy via CREATE2 factory in Aug 2024. While not currently an on-chain admin of live contracts, EOA deployer keys represent deployment-time key-person risk.
Third-party sources and discovery notes reference a 2-of-4 multisig. On-chain verification shows Ethereum main governance is 3-of-5 (nonce 800+), Dev Multisig is 2-of-5, and only Optimism matches a 2-of-N pattern (2-of-4). Users relying on docs may underestimate mainnet quorum requirements.
Governance Checklist
Verified Multisig Parameters
| Chain | Role | Address | Threshold | Signers |
|---|---|---|---|---|
| Ethereum | Main Governance | 0x8119EC16F0573B7dAc7C0CB94EB504FB32456ee1 | 3 / 5 | 0x231fC5…, 0x7bd456…, 0x9ce6de…, 0x38ab4a…, 0xf51736… |
| Ethereum | Dev Multisig | 0xE6F0489ED91dc27f40f9dbe8f81fccbFC16b9cb1 | 2 / 5 | 0x806c8c…, 0xe397e6…, 0xf51736…, 0xe81b32…, 0x231fC5… |
| Arbitrum | Chain Governance | 0x7877AdFaDEd756f3248a0EBfe8Ac2E2eF87b75Ac | 3 / 5 | Same 5 signers as Ethereum main |
| Base | Chain Governance | 0x7877AdFaDEd756f3248a0EBfe8Ac2E2eF87b75Ac | 3 / 5 | Same 5 signers as Ethereum main |
| Optimism | Chain Governance | 0xa06C863fcf17cA6f24AA81aeA75E23953193fF6A | 2 / 4 | 0xf51736…, 0x9ce6de…, 0x38ab4a…, 0x7bd456… |
| BSC | Chain Governance | 0xA06627d9884996BC27a7c20fDA94FC94C13aa9Ec | 3 / 5 | Same 5 signers as Ethereum main |